Re: How to Report a Security VulnerabilitytoMicrosoft

[Valdis.Kletnieks () vt edu]

On Tue, 12 Apr 2005 17:21:20 EDT, mcbain () aol com said:

> I personally have only been effected once _severely_  after patch Tuesday. 

You've been lucky, then.. ;)

>  But think about it,  the testing scenarios that exist on planet earth can
> not possibly be even accounted for let alone tested in Redmond.

Insufficient testing for breaking end-user configurations is an entirely
different issue.

Your claim was that "they find the root of the problem", and that doing this
adds time to get the patch out the door.  My point is that if they in fact
were doing that, we'd not see so many "It still works if you put a \ in front
of the semicolon" type reports - an indication that the released patch is not
in fact fixing the basic problem.

(To be fair to Microsoft - sometimes the "basic problem" is a basic conceptual
design flaw that can't be fixed in a clean compatible way, and you end up
just papering over the known holes and pushing a "real" fix off to "the next
release")

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/